Manage Learn to apply best practices and optimize your operations.

MS Foils Coin Mining Compelling Telemetry Case

OK, then. I’m back from the Microsoft MVP Summit, and still catching up from all the buzz and running around. One recurring theme from the conference that is unclassified is the enduring value of telemetry. That’s the data that Windows 10 constantly ships back to HQ, to report on what systems and applications are doing. Various Microsoft mavens made the point that telemetry provides useful and important information. I heard this same message from numerous OS developers, applications folks, and security types. When MS foils coin mining in a big way, it’s obvious that telemetry can be a real system-saver.

The darker the country, the higher the Dofoil impact.
[Source: Microsoft; Click Image for Full-Sized View]

How Telemetry Translates into MS Foils Coin Mining

As reported at Infosecurity Magazine on March 8, MS detected a “massive and widespread” campaign that might have compromised half a million PCs or more. When the company detected — through telemetry from Windows Defender — a large number of sophisticated Trojans on March 6, it knew something was up. Over the next 12 hours, in fact, Defender fended off more than 400K new instances of those same Trojans. 73% of the reports came from Russia, 18% from Turkey, and 4% from Ukraine. They all pointed to a new strain of DoFoil (also called “Smoke Loader”) in the wild. DoFoil is popular because it uses the NiceHash function. This allows it to mine for a variety of cryptographic currencies. These particular samples mined Electroneum coins, but it could have been Bitcoin, Ethereum, or others.

The story quotes a March 6 Microsoft Secure blog post entitled “Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign.” Please read that story for all the interesting and intricate details of this clever and intricate attack. My point is that MS was able to use telemetry data to identify this outbreak, and to make sure its defense mechanisms could handle it and fend it off. If that telemetry data hadn’t been available, MS would have had to react to the attack after the fact. And because clean-up and repair are so much harder, more time-consuming, and expensive, that would have not been good at all. The following chart shows how telemetry drives recognition and response through machine learning:

The MS caption for this figure reads “Layered machine learning defenses in Windows Defender AV.”
[Click image for full-sized view.]

Again, if it weren’t for telemetry providing the data to feed the analysis and power those defenses, AI and machine learning would have nothing to work on — especially not in anything close to real time. And that, dear readers, is a compelling illlustration of why telemetry is valuable and important stuff!

Virtual Desktop